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Abstract 
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When  a  computer  monitors  a  physical  process,  the  computer  uses  sensors  to  determine  the 
values  of  the  physical  variables  that  represent  the  state  of  the  process.  A  sensor  can  sometimes 
fail,  however,  and  in  the  worst  case  report  a  value  completely  unrelated  to  the  true  physical  value.  • 
The  work  described  in  this  paper  is  motivated  by  a  methodology  for  transforming  a  process 
control  program  that  cannot  tolerate  sensor  failure  into  one  that  can.  In  this  methodology, 
a  reliable  abstract  sensor  is  created  by  combining  information  from  several  real  sensors  that 
measure  the  same  physical  value.  To  be  useful,  an  abstract  sensor  must  deliver  reasonably 
accurate  information  at  reasonable  computational  cost. 

In  this  paper,  we  consider  sensors  that  deliver  multidimensional  values  (e.g.,  location  or 
velocity  in  3  dimensions,  or  both  temperature  and  pressure).  Geometric  techniques  are  used 
to  derive  upper  bounds  on  abstract  sensor  accuracy  and  to  develop  efficient  algorithms  for 
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One  of  the  oldest  techniques  in  fault-tolerance  is  using  replication  to  mask  failures  [Sho6S],  For 
example,  TMR,  the  triple  module  redundancy  scheme,  masks  the  failure  of  a  signal  by  feeding  three 

independently  computed  copies  of  the  signal  into  a  majority  voter  [vN56].  TMR  can  be  easily 
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extended  to  nmr,  or  n-modvle  redundancy,  whereby  n  independent  copies  are  fed  into  a  majority 
voter.  With  NMR,  up  to  /  =  signal  failures  can  be  masked. 

As  stated  here,  NMR  assumes  a  very  weak  failure  model,  making  it  a  highly  applicable  technique. 
One  doesn’t,  for  example,  need  to  know  the  nature  of  the  faults,  the  frequency  of  faults,  or  the 
distribution  of  faulty  signal  values  in  order  to  design  a  system  that  uses  nmr.  The  only  time  such 
properties  are  considered  is  when  appropriate  values  of  /  and  n  are  computed.  This  same  weak 
failure  model  has  been  applied  to  several  problems  in  distributed  systems;  for  example,  consen¬ 
sus  [NT88]  and  reliable  broadcast  [CAS86],  and  has  also  been  incorporated  into  a  methodology  for 
building  fault- tolerant  distributed  programs  [Sch90,Lam84]. 

One  of  us  (Marzullo)  has  been  working  o«  the  problem  of  writing  provably  correct  programs 
that  monitor  and  control  physical  processes.  The  state  of  a  physical  process  is  usually  represented 
by  a  set  of  values  for  a  corresponding  set  of  continuous  physical  variables,  such  as  the  temperature 
or  pressure  of  a  reaction  vessel.  Physical  values  are  usually  measured  by  accessing  sensors,  sucli 
as  thermometers  or  pressure  gauges.  A  sensor,  however,  has  a  limited  accuracy  which  gives  some 
uncertainty  in  the  value  of  the  physical  variable  it  senses,  and  the  real-time  nature  of  physical 
processes  combined  with  uncertain  execution  .times  can  increase  the  uncertainty  in  the  measured 
value  of  the  physical  variable.  If  this  uncertainty  is  too  large  or  if  the  underlying  sensor  is  faulty, 
then  the  measurement  will  be  useless  to  a  control  program. 

One  can  model  the  value  of  a  sensor  as  as  a  random  variable  and  then  convolve  the  values 
of  different  sensors  that  measure  the  same  physical  variable.  Doing  so  will  improve  the  accuracy 
of  the  measured  value,  but  it  will  also  introduce  a  failure  model  that  is  expressed  in  terms  of  a 
(possibly  unknown)  probability  distribution.  Instead,  in  [Mar90]  we  have  represented  the  value  of 
a  physical  variable  as  a  contiguous  interval  and  applied  the  same  weak  failure  model  of  assuming 
no  more  than  /  out  of  n  sensors  are  incorrect.  We  have  derived  tight  bounds  on  the  accuracy 
of  the  resulting  measured  physical  values  and  have  presented  efficient  algorithms  (0(n log  n))  for 
masking  the  faults  of  such  sensors.  The  bounds  for  this  problem  are  derived  by  considering  interval 
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graphs  [Gol80j. 

One  limitation  of  the  work  in  [Mar90]  is  that  it  is  applicable  only  to  sensors  that  measure  a 
single,  independent,  real  value.  An  example  of  a  sensor  that  does  not  fit  this  model  is  one  that 
measures  the  location  of  some  physical  object  in  3D  space.  If  such  multidimensional  sensors  are 
used  then  a  naive  approach  to  masking  failures  is  to  consider  the  x  component  separately  from 
failures  of  the  y  and  z  components,  but  doing  so  limits  the  accuracy  of  the  resulting  value.  For 
example,  any  sensor  found  to  be  faulty  by  examining  the  x  components  should  most  likely  be 
discarded  when  considering  the  y  and  z  components.  This  paper  extends  [Mar90]  by  considering 
such  multidimensional  sensors. 

We  assume  that  real  sensors  have  the  following  properties.  Let  s,  be  a  sensor  of  some  physical 
variable  v.  A  measurement  s,  is  a  continuous  set  of  values  that  conform  to  some  shape,  such  as  a 
continuous  interval,  a  rectangle,  a  sphere,  etc.  We  say  that  s;  is  correct  if  it  is  not  too  inaccurate 
and  always  includes  the  value  of  the  actual  physical  variable.  More  precisely,  for  some  upper  bound 
act  on  the  accuracy  of  s,, 

Si  correct  =  t;  €  Si  A  |s,|  <  acc 

Thus,  a  real  sensor  can  fail  in  two  ways:  it  can  fail  to  contain  the  true  value  or  it  can  report 
a  region  so  large  as  to  be  useless.  For  the  purposes  of  this  paper,  we  assume  such  large-region 
sensors  can  be  detected  and  discarded  by  preprocessing  the  real  sensor  data  (n  and  /  will  have  to 
be  adjusted).  Thus  for  the  remainder  of  this  paper,  we  can  assume  without  loss  of  generality  that 
all  sensors  are  accurate  (report  regions  of  reasonable  size)  and  that  a  sensor  can  be  incorrect  only 
by  failing  to  contain  its  corresponding  true  value. 

Let  Si  and  s,  ( i  £  j)  be  the  measurements  by  two  abstract  sensors  for  the  same  physical  value 
v.  If  Si  and  Sj  both  contain  the  correct  value,  then  the  intervals  s*  and  sj  must  intersect,  and  their 
intersection  must  contain  the  (unknown)  value  v. 

Consider  a  set  5  =  (sj ,  s2>  •  •  • » sn}  of  n  independent  measurements  of  the  same  physical  value.  If 
/  or  less  measurements  do  not  contain  the  correct  value,  then  any  set  of  n  -  f  mutually  intersecting 
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measurements  may  contain  the  correct  value  within  their  intersection,  since  they  each  share  a 
common  value.  Conversely,  any  point  not  contained  in  at  least  n  -  f  measurements  cannot  be 
the  correct  value;  if  it  were,  then  there  would  be  more  than  /  faulty  sensors.  So,  the  cover  of  ah 
(n  -  f)-cliques  must  contain  the  correct  value.  (An  (n  -  f)-clique  corresponds  to  a  value  where  at 
least  (n  —  /)  sensor  mesurements  intersect.) 

We  have  one  further  constraint:  any  program  written  to  deal  with  a  single  measurement  assumes 
that  the  sensor  delivers  a  region  of  some  expected  shape  (e.g.,  rectangle,  sphere,  cube,  etc.),  so  we 
require  the  cover  to  also  have  this  same  shape.  This  constraint  allows  us  to  improve  a  program 
based  on  a  single  (unreliable)  real  sensor  by  changing  only  the  sensor;  the  real  sensor  is  replaced  by 
several  real  sensors  whose  inputs  are  combined  to  produce  a  single  abstract  sensor.  The  program 
can  use  the  resulting  abstract  sensor  just  as  it  originally  used  the  single  real  sensor. 

To  summarize,  we  have  the  following  goals  for  our  abstract  sensor: 

1.  It  should  be  guaranteed  (assuming  no  more  than  /  failures)  to  deliver  a  region  containing  the 
true  physical  value. 

\ 

2.  It  should  deliver  a  shape  that  is  within  the  same  class  as  the  shapes  delivered  by  the  individual 
real  sensors. 

3.  It  should  be  accurate.  In  other  words,  assuming  no  more  than  /  failures,  it  should  deliver 
a  region  that  is  not  significantly  larger  than  a  region  that  might  be  delivered  by  a  single, 
correct  real  sensor. 

4.  It  should  be  efficient  to  compute.  An  abstract  sensor  is  useless  unless  it  can  be  computed  in 
a  reasonable  amount  of  time. 

It  is  useful  to  define  I/„(S),  the  smallest  region  the  satisfies  goals  1  and  2.  In  other  words. 
I f,n(S)  is  the  smallest  figure  of  the  correct  shape  that  covers  all  (n  -  /)-cliques  in  5.  For  instance, 
if  the  individual  sensors  report  intervals  in  one  dimension  then  I/,„(5)  is  the  smallest  interval  that 
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contains  all  the  (n  —  /)-cliques.  It  is  clear  that  the  (unknown)  true  value  v  is  a  member  of  J/,n(5) 
as  long  as  no  more  than  /  measurements  are  faulty. 

Figure  1  illustrates  T/in(5)  for  measurements  that  are  rectangles.  The  left-hand  figure  shows 
four  measurements,  and  the  right-hand  figure  shows  the  rectangle  that  covers  all  3-cliques  of  the 
measurements. 


Figure  1:  Zii4 (5)  for  Rectangular  Measurements. 

Although  Xft„(S)  always  contains  the  correct  value  and  is  defined  for  all  /  :  0  <  /  <  u,  it  may 
be  difficult  to  compute  or  its  size  |2/in(S)|  may  be  too  large  to  be  of  use  to  any  control  program. 

In  the  following  sections,  we  derive  upper  bounds  on  |I/,„(S)j  as  a  function  of  /,  n,  and  the 
sizes  of  s,-  6  5.  We  use  this  information  to  develop  algorithms  for  abstract  sensors.  The  results 
derived  in  [Mar90]  for  ID  intervals  are  summarized  in  Section  2.  In  Section  3  we  derive  upper 
bounds  and  algorithms  for  measurements  that  are  d-dimensional  rectangles,  and  in  Section  4  we 
discuss  abstract  sensors  for  measurements  that  are  d-dimensional  circles.  Note  that  the  results  on 
circles  actually  hold  for  any  class  of  convex  shapes  in  which  the  shapes  are  geometrically  similar 
and  share  the  same  orientation. 
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2  Linear  Sensors 


In  [Mar90],  Marzullo  shows  that  for  linear  sensors  -  sensors  that  report  ID  intervals  -  Z/  n(5)  can 
be  found  efficiently  and  that  for  /  <  Z/n(5)  has  reasonable  size.  The  upper  bounds  on  |2/,n(S)| 

are  stated  in  the  following  two  theorems. 

First,  we  need  some  notation.  Define  the  functions  min,  and  max,  to  be  the  ith  smallest  and 
largest  values  of  a  set  of  n  values  respectively.  Note  that  min,  is  the  same  as  maxn_,+i-  For 
example,  if  5  =  {13, 14, 15}  then  min3(S)  =  maxi(5)  =  15. 

Theorem  1  Let  S  be  a  set  consisting  of  n  intervals.  If  0  <  /  <  2  then  |I/in(5)|  <  min2/+i{|s|  : 
sG  S}. 

Thus,  when  /  <  ^,  the  resulting  abstract  sensor  is  as  accurate  as  one  of  the  original  sensors. 
lftn(S)  can  also  be  computed  efficiently:  0(n  log  n)  time,  by  sorting  the  endpoints  of  the  n  intervals, 
then  moving  through  the  endpoints  in  order,  keeping  track  of  the  depth  at  each  instant. 

The  second  theorem  states  that  there  is  no  upper  bound  on  the  size  when  /  >  f  • 

Theorem  2  Given  a  set  {fj,f2,  •••, of  n  lengths  and  y  <  /  <  n,  then  for  any  length  A  > 
max{fi,f2» there  exists  a  set  of  n  intervals  S  =  {li,s2,  whereVi  :  1  <  i  <  n  :  |s;|  =  £, 

and  l^/,n(^)l  =  A. 

2.1  Multidimensional  Sensors  and  Projection 

The  ID  results  on  intervals  can  be  used  directly  to  give  results  for  multidimensional  sensors.  For 
a  d-dimensional  sensor,  we  project  the  region  for  sensor  Si  onto  each  of  the  d  orthogonal  axes.  We 
now  have  d  separate  ID  problems.  These  problems  can  be  solved  individually  and  then  recombined 
to  produce  a  d- rectangle. 

There  are  several  possible  disadvantages  to  this  approach: 

1.  Information  may  be  lost.  For  example,  the  knowledge  that  a  sensor’s  z-coordinate  cannot 
possibly  be  correct  should  be  used  to  toss  out  the  entire  sensor. 
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2.  A  d-rectangle  is  not  necessarily  the  desired  shape.  For  example,  our  abstract  sensor  may  be 
required  to  report  a  circle. 

3.  The  size  of  the  resulting  sensor  may  be  larger  than  necessary  (see  Figure  2). 


(a)  (b) 

Figure  2:  Intersection  vs.  Intersection  of  Projections  (n  =  3,/  =  1) 

In  fact,  projection  techniques  are  the  method-of-choice  in  some  situations  (see  Section  3),  but 
these  situations  depend  on  the  shapes  involved  and  the  relationship  between  /  and  n. 

3  d-Rectangles 

If  Si  is  constrained  to  be  a  d-dimensional  rectangle,  then  another  upper  bound  can  be  placed  on 
the  size  of  Zf<n{S). 

Theorem  3  Let  S  be  a  set  consisting  ofn  d-dimensional  rectangles.  If  0  3  then  |I/,„(S)|  < 

min2<*/+i{|3|  :  3  6  5}. 

The  proof  of  this  theorem  is  based  on  a  counting  argument  that  shows  Z/,„(5)  is  contained  in 
at  least  n  -  2 df  of  the  original  rectangles. 
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The  bound  on  /  given  in  the  theorem  is  tight.  Figure  1  shows  a  2D  example  where  f  -  and 
is  larger  (in  area)  than  any  of  the  original  rectangles.  Similar  examples  can  be  built  for  any 
dimension  d. 

This  theorem  shows  that  increased  accuracy  comes  with  a  price:  if  it  is  desired  that  |2/„(S)| 
be  at  least  as  accurate  as  some  measurement  in  S,  then  the  amount  of  replication  needed  increases 
quickly  (linearly)  with  d.  For  example,  in  order  to  tolerate  a  single  failure  for  measurements  that 
are  3 D  rectangles,  a  sensor  must  be  replicated  at  least  7  times. 

3.1  Algorithms  for  Rectangles 

For  2D  problems  (and  for  ID  problems),  efficient  algorithms  exist  to  compute  X/,n(S)  directly. 
Consider  rectangles  in  two  dimensions.  The  smallest  rectangle  containing  all  of  the  (n  -  /)-cliques 
can  be  found  in  O(nlogn)  time  by  using  a  sweep-line  combined  with  Bentley’s  segment  tree  (see. 
for  instance,  [PS85]).  Note  that,  although  the  entire  boundary  of  the  ( n  -  /)-cliques  can  be  of 
complexity  n2,  we  need  only  determine  the  left,  right,  top,  and  bottom  boundaries.  This  can  bo 
done  efficiently  by  keeping  depth  information  within  the  segment  tree. 

Unfortunately,  this  technique  does  not  generalize  well  to  higher  dimensions.  For  instance.  3D 
rectangles  (rectangular  parallelopipeds)  require  a  sweep-plane  with  dynamic  insertion  and  deletion 
of  2D  rectangles. 

There  is  however,  an  efficient  algorithm  that  reports  a  d-rec tangle  for  any  d  that  is  almost  as 
good  as  the  minimal  d-rectangle  that  we  desire.  This  uses  the  projection  technique,  converting  a  d- 
dimensional  problem  into  d  1-dimensional  problems.  The  results  of  these  separate  ID  problems  are 
combined  to  produce  the  projection  rectangle ,  a  d-rectangle  that  is  guaranteed  to  be  of  reasonable 
size.  The  algorithm  is  based  on  the  following  theorem. 

Theorem  4  Let  S  be  a  set  consisting  of  n  d -dimensional  rectangles.  If  0  <  /  <  ^  then  the  size 
of  the  projection  rectangle  is  <  min2d/+i{|s|  :  s  £  5}. 
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Note  that  the  projection  rectangle  can  be  computed  in  0(dn log  n)  time  and  has  exactly  the 
same  size  bound  as  I/ifl(5).  Thus,  if  our  goal  is  create  an  abstract  sensor  that  is  at  least  as  accurate 
as  some  measurement  in  S,  the  projection  rectangle  is  as  good  as  IfiU(S). 

The  full  paper  will  include  examples  showing  that  neither  I j,n{S)  nor  the  projection  rectangle 
is  necessarily  larger  than  the  other. 

4  d-  Circles 

If  s,  is  constrained  to  be  a  d-dimensional  circle  (sphere  in  3D)  then  the  following  upper  bound  can 
be  placed  on  the  size  of  Iy  n(5): 

Theorem  5  Let  S  be  a  set  consisting  of  n  d -circles.  I/O  <  f  <  (3+T)  then  |Xy  „(5)|  <  min(d+1)/+1  {| 
ses). 

The  proof  of  this  theorem  will  appear  in  the  full  paper.  Note  that  this  bound  grows  more  slowly 
with  d  then  does  the  bound  of  Theorem  3.  For  example,  in  order  to  tolerate  a  single  failure  for 
measurements  that  are  spheres,  a  sensor  must  be  replicated  at  least  4  times. 

Algorithms  for  d-circles  are  not  as  efficient  as  algorithms  for  d-rectangles.  Even  in  2D.  it 
appears  that  to  find  the  (n  -  /)-cliques,  it  is  necessary  to  build  the  entire  arrangement  of  n  circles. 
Since  n  circles  can  have  fi(n2)  intersections,  building  the  arrangement  must  take  time  Q(n2). 
(The  incremental  algorithm  for  building  an  arrangement  of  circles  takes  worst-case  time  0{  nA4(  n ) ) 
where  A4  is  an  almost-linear  function  related  to  Davenport-Schinzel  sequences  [EGPRSS];  using 
randomization,  the  arrangement  can  be  built  in  expected  time  0(m  - f  nlogn)  where  m  is  the 
number  of  intersections  [Mul89].)  Of  course,  we  can  replace  each  cf-circle  by  a  ef-square  that 
contains  it  and  use  the  rectangle  techniques,  but  this  may  produce  an  answer  less  accurate  than 
desired. 
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5  Discussion 

T»Ye  have  shown  how  several  real  sensors  (that  measure  the  same  multidimensional  physical  data)  can 
be  combined  to  produce  a  reliable  abstract  sensor.  This  process  can  be  done  efficiently,  reporting  a 
region  guaranteed  to  be  of  reasonable  size,  for  d-rectangles  provided  /  <  ^  where  n  is  the  number 
of  real  sensors  and  /  is  the  number  of  real  sensors  that  are  faulty.  For  d-circles,  an  abstract  sensor 
region  of  reasonable  size  exists  provided  /  <  but  determining  this  region  is  considerably  less 
efficient.  As  mentioned  in  the  Introduction,  the  results  on  size  bounds  for  circles  actually  hold 
for  any  class  of  convex  shapes  in  which  the  shapes  are  geometrically  similar  and  share  the  same 
orientation. 

Improved  results  are  possible  if  sensors  are  known  to  report  d-rectangles  that  are  all  the  same 
size  and  orientation.  In  this  case,  the  projection  technique  can  be  used  to  create  an  abstract  sensor 
which  reports  a  d-rectangle  of  the  standard  size  in  0{dn log n)  time  provided  /  <  7).  Note  that  for 
this  case,  the  required  relation  between  /  and  n  is  independent  of  d.  The  reported  rectangle  may 
not  correspond  to  any  of  the  original  rectangles,  but  it  will  be  bounded  by  the  correct  size. 

In  contrast,  for  identically  sized  circles,  the  smallest  circle  covering  all  of  the  (n  -  /(-cliques 
may  be  larger  than  the  initial  circles  even  when  /  <  ^.  Of  course,  the  bound  in  Theorem  5  still 
applies;  |Z/in(S)|  is  bounded  by  the  size  of  the  initial  circles  when  /  < 

In  this  shortened  version  of  our  work,  we  have  room  for  only  a  brief  mention  of  fast  approxima¬ 
tion  techniques.  A  grid  of  equal-sized  buckets  can  be  u  ed  to  detect  (n  -  /(-cliques,  leading  to  a 
linear- time  abstract-sensor  algorithm  at  the  cost  of  some  accuracy.  This  technique  works  for  both 
d-rec tangles  and  d-circles,  but  is  more  accurate  for  rectangles. 
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